International Association for Cryptologic Research

IACR News Central

Get an update on changes of the IACR web-page here. For questions, contact newsletter (at) You can also receive updates via:

To receive your credentials via mail again, please click here.

You can also access the full news archive.

Further sources to find out about changes are CryptoDB, ePrint RSS, ePrint Web, Event calender (iCal).

18:17 [Pub][ePrint] Attacks in Stream Ciphers: A Survey, by Gustavo Banegas

  Nowadays there are different types of attacks in block and stream ciphers. In this work we will present some

of the most used attacks on stream ciphers. We will present the newest techniques with an example of usage in

a cipher, explain and comment. Previous we will explain the difference between the block ciphers and stream


15:17 [Pub][ePrint] Fully Collusion-Resistant Traceable Key-Policy Attribute-Based Encryption with Sub-linear Size Ciphertexts, by Zhen Liu and Zhenfu Cao and Duncan S. Wong

  Recently a series of expressive, secure and efficient Attribute-Based Encryption (ABE) schemes, both in key-policy flavor and ciphertext-policy flavor, have been proposed.

However, before being applied into practice, these systems have to attain traceability of malicious users.

As the decryption privilege of a decryption key in Key-Policy ABE (resp. Ciphertext-Policy ABE) may be shared by multiple users who own the same access policy (resp. attribute set), malicious users might tempt to leak their decryption privileges to third parties, for financial gain as an example, if there is no tracing mechanism for tracking them down.

In this work we study the traceability notion in the setting of Key-Policy ABE, and formalize Key-Policy ABE supporting fully collusion-resistant blackbox traceability. An adversary is allowed to access an arbitrary number of keys of its own choice when building a decryption-device, and given such a decryption-device while the underlying decryption algorithm or key may not be given, a Blackbox tracing algorithm can find out at least one of the malicious users whose keys have been used for building the decryption-device.

We propose a construction, which supports both fully collusion-resistant blackbox traceability and high expressiveness (i.e. supporting any monotonic access structures). The construction

is fully secure in the standard model (i.e. it achieves the best security level that the conventional non-traceable ABE systems do to date), and

is efficient that the fully collusion-resistant blackbox traceability is attained at the price of making ciphertexts grow only sub-linearly in the number of users in the system, which is the most efficient level to date.

12:17 [Pub][ePrint] The Usage of Counter Revisited: Second-Preimage Attack on New Russian Standardized Hash Function, by Jian Guo and Jérémy Jean and Gaëtan Leurent and Thomas Peyrin and Lei Wang

  Streebog is a new Russian hash function standard. It follows the HAIFA

framework as domain extension algorithm and claims to resist recent generic

second-preimage attacks with long messages. However, we demonstrate in this

article that the specific instantiation of the HAIFA framework used in Streebog

makes it weak against such attacks. More precisely, we observe that Streebog

makes a rather poor usage of the HAIFA counter input in the compression

function, which allows to construct second-preimages on the full Streebog-512

with a complexity as low as 2^{266} compression function evaluations for long

messages. This complexity has to be compared with the expected 2^{512}

computations bound that an ideal hash function should provide. Our work is a

good example that one must be careful when using a design framework for which

not all instances are secure. HAIFA helps designers to build a secure hash

function, but one should pay attention to the way the counter is handled inside

the compression function.

00:17 [Pub][ePrint] SCORAM: Oblivious RAM for Secure Computation, by Xiao Shaun Wang and Yan Huang and T-H. Hubert Chan and abhi shelat and Elaine Shi

  Oblivious RAMs (ORAMs) have traditionally been measured by their \\emph{bandwidth overhead} and \\emph{client storage}. We observe that when using ORAMs to build secure computation protocols for RAM programs, the \\emph{size} of the ORAM circuits is more relevant to the performance.

We therefore embark on a study of the \\emph{circuit-complexity} of several recently proposed ORAM constructions. Our careful implementation and experiments show that asymptotic analysis is not indicative of the true performance of ORAM in secure computation protocols with practical data sizes.

We then present SCORAM, a heuristic \\emph{compact} ORAM design optimized for secure computation protocols. Our new design is almost 10x smaller in circuit size and also faster than all other designs we have tested for realistic settings (i.e., memory sizes between 4MB and 2GB, constrained by $2^{-80}$ failure probability). SCORAM\\ makes it feasible to perform secure computations on gigabyte-sized data sets.

00:17 [Pub][ePrint] Circuit ORAM: On Tightness of the Goldreich-Ostrovsky Lower Bound, by Xiao Shaun Wang and T-H. Hubert Chan and Elaine Shi

  Oblivious RAM (ORAM) constructions have traditionally been measured by their

bandwidth cost,

or the blowup in the ORAM\'s running time in comparison with the non-oblivious baseline.

While these metrics can suitably characterize

an ORAM\'s performance in secure processor

and cloud outsourcing applications, recent works

have observed that other applications such as

secure multi-party computation

demand a different metric, namely, the ORAM\'s circuit complexity.

Following the tree-based ORAM paradigm by Shi et al., we propose a new ORAM scheme called

Circuit ORAM. Circuit ORAM achieves $O(D \\log N) \\omega(1)$

total circuit size\\footnote{ We use the notation $g(N) = O(f(N)) \\omega(1)$

to denote that for any $\\alpha(N) = \\omega(1)$, it holds that $g (N) = O(f(N)


(over all protocol interactions) for memory words of $D = \\Omega(\\log^2 N)$ bits, while achieving a negligible failure probability.

For memory words of $D = \\Omega(\\log^2 N)$ bits,

Circuit ORAM

achieves smaller circuits both asymptotically and in practice

than all

previously known ORAM schemes.

Empirical results suggest that Circuit ORAM yields circuits that are 8x to 48x smaller than Path ORAM for datasets of roughly 1GB. The speedup will be even greater for larger data sizes.

Circuit ORAM is

also theoretically interesting

when interpreted under the traditional metrics.

Parameterizing the scheme slightly differently, we show the following.

Let $0 < \\epsilon < 1$ denote any constant, and consider a family of RAMs with $N$

words each of which $N^\\epsilon$ bits in size. Any RAM in this class can be compiled to

an Oblivious RAM with $O(1)$ words of CPU cache,

running in $O(T \\log N) \\omega(1)$ time, and achieving negligible statistical failure probability (or running in $O(T \\log N)$ time but with inverse polynomial failure probability).

This suggests that certain stronger interpretations of the

Goldreich-Ostrovsky ORAM lower bound are tight --- in particular their lower

bound trivially generalizes to any $O(1)$ failure probability,

and works for arbitrary memory word sizes.

00:17 [Pub][ePrint] How to Estimate the Success Rate of Higher-Order Side-Channel Attacks, by Victor Lomné, Emmanuel Prouff, Matthieu Rivain, Thomas Roche, Adrian Thillard

  The resistance of a cryptographic implementation with regards to side-channel analysis is often quantified by measuring the success rate of a given attack. This approach cannot always be followed in practice, especially when the implementation includes some countermeasures that may render the attack too costly for an evaluation purpose, but not costly enough from a security point of view. An evaluator then faces the issue of estimating the success rate of an attack he cannot mount. The present paper adresses this issue by presenting a methodology to estimate the success rate of higher-order side-channel attacks targeting implementations protected by masking. Specifically, we generalize the approach initially proposed at SAC 2008 in the context of first-order side-channel attacks. The principle is to approximate the distribution of an attack\'s score vector by a multivariate Gaussian distribution, whose parameters are derived by profiling the leakage. One can then accurately compute the expected attack success rate with respect to the number of leakage measurements. We apply this methodology to higher-order side-channel attacks based on the widely used correlation and likelihood distinguishers. Moreover, we validate our approach with simulations and practical attack experiments against masked AES implemenations running on two different microcontrollers.

00:17 [Pub][ePrint] Efficient RAM and control flow in verifiable outsourced computation, by Riad S. Wahby and Srinath Setty and Zuocheng Ren and Andrew J. Blumberg and Michael Walfish

  Recent work on proof-based verifiable computation has resulted in built

systems that employ tools from complexity theory and cryptography to

address a basic problem in systems security: allowing a local computer

to outsource the execution of a program while providing the local

computer with a guarantee of integrity and the remote computer with a

guarantee of privacy. However, support for programs that use RAM and

complicated control flow has been problematic. State of the art systems

restrict the use of these constructs (e.g., requiring static loop

bounds), incur sizable overhead on every step to support these

constructs, or pay tremendous costs when the constructs are invoked.

This paper describes Buffet, a built system that solves these problems

by providing inexpensive \"a la carte\" RAM and dynamic control flow

constructs. Buffet composes an elegant prior approach to RAM with a

novel adaptation of techniques from the compiler community. The result

is a system that allows the programmer to express programs in an

expansive subset of C (disallowing only \"goto\" and function pointers),

can handle essentially any example in the verifiable computation

literature, and achieves the best performance in the area by multiple

orders of magnitude.

02:53 [Event][New] 8th International Conference on Cryptology Africacrypt 2015

  Submission: 9 January 2015
Notification: 27 February 2015
From May 27 to May 29
Location: Dakar, Senegal
More Information:

00:17 [Pub][ePrint] One-Round Deniable Key Exchange with Perfect Forward Security, by Weiqiang Wen and Libin Wang and Min Xie

  In response to the need for secure one-round authenticated key exchange protocols providing both perfect forward secrecy and full deniability, we put forward a new paradigm for constructing protocols from a Diffie-Hellman type protocol plus a non-interactive designated verifier proof of knowledge (DV-PoK) scheme. We define the notion of DV-PoK which is a variant of non-interactive zero-knowledge proof of knowledge, and provide an efficient DV-PoK scheme as a central technical building block of our protocol. The DV-PoK scheme possesses nice properties such as unforgeability and symmetry which help our protocol to achieve perfect forward secrecy and full deniability respectively. Moreover, the security properties are formally proved in the Canetti-Krawczyk model under the Gap Diffie-Hellman assumption. In sum, our protocol offers a remarkable combination of salient security properties and efficiency, and the notion of DV-PoK is of independent interests.

00:17 [Pub][ePrint] Outsourced Pattern Matching, by Sebastian Faust and Carmit Hazay and Daniele Venturi

  In secure delegatable computation, computationally weak devices (or clients) wish to outsource their computation and data to an untrusted server in the cloud. While most earlier work considers the general question of how to securely outsource any computation to the cloud server, we focus on concrete and important functionalities and give the first protocol for the pattern matching problem in the cloud.

Loosely speaking, this problem considers a text $T$ that is outsourced to the cloud $\\bfS$ by a sender $\\sen$. In a query phase, receivers $\\rec_1, \\ldots , \\rec_l$ run an efficient protocol with the server $\\bfS$ and the sender $\\sen$ in order to learn the positions at which a pattern of length $m$ matches the text (and nothing beyond that). This is called the outsourced pattern matching problem which is highly motivated in the context of delegatable computing since it offers storage alternatives for massive databases that contain confidential data (e.g., health related data about patient history).

Our constructions are simulation-based secure in the presence of semi-honest and malicious adversaries (in the random oracle model) and limit the communication in the query phase to $O(m)$ bits plus the number of occurrences---which is optimal. In contrast to generic solutions for delegatable computation, our schemes do not rely on fully homomorphic encryption but instead use novel ideas for solving pattern matching, based on a reduction to the subset sum problem. Interestingly, we do not rely on the hardness of the problem, but rather we exploit instances that are solvable in polynomial-time. A follow-up result demonstrates that the random oracle is essential in order to meet our communication bound.

00:17 [Pub][ePrint] Locally Decodable and Updatable Non-Malleable Codes and Their Applications, by Dana Dachman-Soled and Feng-Hao Liu and Elaine Shi and Hong-Sheng Zhou

  Non-malleable codes, introduced as a relaxation of error-correcting codes by Dziembowski, Pietrzak and Wichs (ICS \'10), provide the security guarantee that the message contained in a tampered codeword is either the same as the original message or is set to an unrelated value. Various applications of non-malleable codes have been discovered, and one of the most significant applications among these is the connection with tamper-resilient cryptography. There is a large body of work considering security against various classes of tampering functions, as well as non-malleable codes with enhanced features such as leakage resilience.

In this work, we propose combining the concepts of non-malleability, leakage resilience, and locality in a coding scheme. The contribution of this work is three-fold:

1. As a conceptual contribution, we define a new notion of locally decodable and updatable non-malleable code that combines the above properties.

2. We present two simple and efficient constructions achieving our new notion with different levels of security.

3. We present an important application of our new tool--securing RAM computation against memory tampering and leakage attacks. This is analogous to the usage of traditional non-malleable codes to secure implementations in the circuit model against memory tampering and leakage attacks.